---

#
# This is the base role for all machines.
# Things in here are things we want to do to every machine no matter what.
#

- name: ensure packages required for semanage are installed (yum)
  package: name={{ item }} state=present
  when: ansible_distribution_major_version|int < 22
  with_items:
  - policycoreutils-python
  tags:
  - selinux

- name: ensure packages required for semanage are installed (dnf)
  dnf: name={{ item }} state=present
  when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
  with_items:
  - policycoreutils-python-utils
  tags:
  - selinux

# XXX fixme # a datacenter 'fact' from setup
- name: /etc/resolv.conf
  copy: src={{ item }} dest=/etc/resolv.conf
  when: not nm_controlled_resolv
  with_first_found:
  - "{{ resolvconf }}"
  - resolv.conf/{{ inventory_hostname }}
  - resolv.conf/{{ host_group }}
  - resolv.conf/{{ datacenter }}
  - resolv.conf/resolv.conf
  tags:
  - config
  - resolvconf
  - base
  - ifcfg

- name: check for NetworkManager/nmcli
  command: /usr/bin/test -f /usr/bin/nmcli
  register: nmclitest
  ignore_errors: true
  changed_when: false
  failed_when: "1 != 1"
  check_mode: no
  tags:
   - config
   - resolvconf
   - base
   - ifcfg

- name: disable resolv.conf control from NM
  ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none
  notify:
  - restart NetworkManager
  when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv
  tags:
   - config
   - resolvconf
   - base
   - ifcfg

- name: get interface uuid
  shell: nmcli -f "DEVICE,UUID" c show --active | grep -E '^eth|^br'
  register: if_uuid
  changed_when: false
  failed_when: 'if_uuid.stdout == ""'
  check_mode: no
  when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blacklist )
  tags:
   - config
   - ifcfg
   - base

- name: copy ifcfg files - non virthost
  template: src=ifcfg.j2 dest=/etc/sysconfig/network-scripts/ifcfg-{{item}} mode=0644
  with_items:
  - "{{ ansible_interfaces }}"
  notify:
#  - restart NetworkManager
  - reload NetworkManager-connections
  - apply interface-changes
  when: (virthost is not defined) and (item.startswith(('eth','br','enc'))) and (hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['type'] == 'ether') and (ansible_distribution_major_version|int >=7) and hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['active'] and nmclitest is success and ( not ansible_ifcfg_blacklist ) and ( ansible_ifcfg_whitelist is not defined or item in ansible_ifcfg_whitelist )
  tags:
   - config
   - ifcfg
   - base

- name: global default packages to install (yum)
  package: state=present name={{ item }}
  with_items:
   - "{{ global_pkgs_inst }}"
  tags:
  - packages
  - base
  when: ansible_distribution_major_version|int < 22

- name: global default packages to install (dnf)
  dnf: state=present name={{ item }}
  with_items:
   - "{{ global_pkgs_inst }}"
  tags:
  - packages
  - base
  when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined

- name: make sure hostname is set right on rhel7 hosts
  hostname: name="{{inventory_hostname}}"

#
# We set builders root password in the koji_builder role, so do not set those here
#

- name: set root passwd
  user: name=root password={{ rootpw }} state=present
  tags:
  - rootpw
  - base
  when: not inventory_hostname.startswith(('build','bkernel','koji01.stg','s390','fed-cloud09','compose','rawhide','branched'))

- name: add ansible root key
  authorized_key: user=root key="{{ item }}"
  with_file:
  - ansible-pub-key
  tags:
  - config
  - base

- name: make sure our resolv.conf is the one being used - set RESOLV_MODS=no in /etc/sysconfig/network
  lineinfile: dest=/etc/sysconfig/network create=yes backup=yes state=present line='RESOLV_MODS=no' regexp=^RESOLV_MODS=
  when: not nm_controlled_resolv
  tags:
  - config
  - base

- name: dist pkgs to remove (yum)
  package: state=absent name={{ item }}
  with_items:
   - "{{ base_pkgs_erase }}"
  tags:
  - packages
  - base
  when: ansible_distribution_major_version|int < 22

- name: dist pkgs to install (yum)
  package: state=present name={{ item }}
  with_items:
   - "{{ base_pkgs_inst }}"
  tags:
  - packages
  - base
  when: ansible_distribution_major_version|int < 22

- name: dist pkgs to remove (dnf)
  dnf: state=absent name={{ item }}
  with_items:
   - "{{ base_pkgs_erase }}"
  tags:
  - packages
  - base
  when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined

- name: dist pkgs to install (dnf)
  dnf: state=present name={{ item }}
  with_items:
   - "{{ base_pkgs_inst }}"
  tags:
  - packages
  - base
  when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined

- name: dist disabled services
  service: state=stopped enabled=false name={{ item }}
  with_items:
   - "{{ service_disabled }}"
  tags:
  - service
  - config
  - base

- name: dist enabled services
  service: state=started enabled=true name={{ item }}
  with_items:
   - "{{ service_enabled }}"
  tags:
  - service
  - config
  - base

- name: iptables
  template: src={{ item }} dest=/etc/sysconfig/iptables mode=0600 validate="/sbin/iptables-restore --test %s"
  with_first_found:
   - iptables/iptables.{{ datacenter }}
   - iptables/iptables.{{ inventory_hostname }}
   - iptables/iptables.{{ host_group }}
   - iptables/iptables.{{ env }}
   - iptables/iptables
  when: baseiptables
  notify:
  - restart iptables
  - reload libvirtd
  - restart docker
  tags:
  - iptables
  - config
  - base

- name: iptables service enabled
  service: name=iptables state=started enabled=true
  tags:
  - iptables
  - service
  - base
  when: baseiptables

- name: ip6tables
  template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes
  with_first_found:
   - iptables/ip6tables.{{ datacenter }}
   - iptables/ip6tables.{{ inventory_hostname }}
   - iptables/ip6tables.{{ host_group }}
   - iptables/ip6tables.{{ env }}
   - iptables/ip6tables
  when: baseiptables
  notify:
  - restart ip6tables
  - reload libvirtd
  tags:
  - ip6tables
  - config
  - base

- name: ip6tables service enabled
  service: name=ip6tables state=started enabled=true
  tags:
  - ip6tables
  - service
  - base
  when: baseiptables

- name: enable journald persistence
  file: path=/var/log/journal state=directory
        owner=root group=systemd-journal mode=2755
  when: ansible_distribution_major_version|int >= 7
  tags:
  - journald
  - config
  - base
  notify:
  - flush journald tmpfiles to persistent store

- name: rsyslog.conf
  copy: src={{ item }} dest=/etc/rsyslog.conf mode=0644
  with_first_found:
    - rsyslog/rsyslog.conf.{{ inventory_hostname }}
    - rsyslog/rsyslog.conf.{{ dist_tag }}
    - rsyslog/rsyslog.conf.default
  notify:
  - restart rsyslog
  tags:
  - rsyslogd
  - config
  - base

- name: rsyslog log rotate for rsyslog servers
  copy: src=rsyslog/merged-rsyslog dest=/etc/logrotate.d/merged-rsyslog mode=0644
  when: inventory_hostname.startswith('log')
  notify:
  - restart rsyslog
  tags:
  - rsyslogd
  - config
  - base

- name: add rsyslog config to /etc/rsyslog.d
  copy: src={{ item }} dest=/etc/rsyslog.d/ owner=root group=root mode=0644
  with_fileglob:
   - rsyslog/*.conf
  notify:
  - restart rsyslog
  tags:
  - rsyslogd
  - config
  - base

- name: log everything to log01 except on mirrorlist, do not log local4 there.
  copy: src=rsyslog/rsyslog-log01 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=0644
  when: not inventory_hostname.startswith(('mirrorlist','copr'))
  tags:
  - rsyslogd
  - config
  - base

- name: log everything to log01 except on mirrorlist, do log local4 there.
  copy: src=rsyslog/rsyslog-log01-nolocal4 dest=/etc/rsyslog.d/rsyslog-log01.conf mode=0644
  when: inventory_hostname.startswith('mirrorlist')
  tags:
  - rsyslogd
  - config
  - base

- name: rsyslogd make systemd limits directory for file handles
  file: dest=/etc/systemd/system/rsyslog.service.d/ mode=0755 owner=root group=root state=directory
  when: inventory_hostname.startswith('log')
  tags:
  - rsyslogd
  - config

- name: rsyslogd put systemd limits directory for file handles
  copy: src=rsyslog/rsyslog-limits.conf dest=/etc/systemd/system/rsyslog.service.d/limits.conf mode=0644
  when: inventory_hostname.startswith('log')
  tags:
  - rsyslogd
  - config

# Custom selinux policy to allow rsyslog to read and send audit to log01
- name: ensure a directory exists for our custom selinux module
  file: dest=/usr/local/share/rsyslog state=directory
  tags:
  - rsyslogd
  - config
  - rsyslog-audit

- name: copy over our custom selinux module
  copy: src=selinux/rsyslog-audit.pp dest=/usr/local/share/rsyslog/rsyslog-audit.pp
  register: selinux_module
  tags:
  - rsyslogd
  - config
  - rsyslog-audit

- name: install our custom selinux module
  command: semodule -i /usr/local/share/rsyslog/rsyslog-audit.pp
  when: selinux_module is changed
  tags:
  - rsyslogd
  - config
  - rsyslog-audit

# Custom selinux policy to allow unix_chkpwd to map PAM database
- name: copy over our custom selinux module
  copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
  register: selinux_module
  when: ansible_distribution_major_version|int >= 27
  tags:
  - config
  - selinux

- name: install our custom selinux module
  command: semodule -i /usr/local/share/mapchkpwd.pp
  when: selinux_module is changed
  tags:
  - selinux
  - config

- name: Setup postfix
  import_tasks: postfix.yml

#
# This task installs some common scripts to /usr/local/bin
# scripts are under roles/base/files/common-scripts
#

- name: Install common scripts
  copy: src={{ item }} dest=/usr/local/bin/ owner=root group=root mode=0755
  with_fileglob:
   - common-scripts/*
  tags:
  - config
  - base
  - common-scripts

- name: install a sync httpd logs cron script only on log01
  copy: src=syncHttpLogs.sh dest=/etc/cron.daily/syncHttpLogs.sh mode=0755
  when: inventory_hostname.startswith('log01')
  tags:
  - config
  - base

- name: Drop in a little system_identification note
  template: src=system_identification dest=/etc/system_identification
  tags:
  - config
  - base

#
# Blacklist the cdc_ether module as we don't want it loading mgmt usb0 and spewing to logs.
#
- name: Blacklist cdc_ether module
  copy: src=blacklist-cdc_ether.conf dest=/etc/modprobe.d/blacklist-cdc_ether.conf
  when: ansible_virtualization_role is defined and ansible_virtualization_role == 'host'
  tags:
  - config
  - base
  - cdc_ether

#
# Watchdog stuff
#
- name: Set up watchdog
  import_tasks: watchdog.yml


#Set PS1 to show stage environment at PS1
#
- name: set PS1 for stage in /etc/profile.d
  copy: >
    src=setstgps1.sh
    dest="/etc/profile.d/setstgps1.sh"
    owner=root
    group=root
    mode=0644
  when: env == 'staging'
  tags:
  - base
  - config
  - prompt

#Set PS1 to show prod environment at PS1
#
- name: set PS1 for prod in /etc/profile.d
  copy: >
    src=setprodps1.sh
    dest="/etc/profile.d/setprodps1.sh"
    owner=root
    group=root
    mode=0644
  when: env == 'production'
  tags:
  - base
  - config
  - prompt

# Set krb5 conf
- name: configure krb5
  template: src=krb5.conf.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
  when: not inventory_hostname.startswith('ipa')
  tags:
  - base
  - config
  - krb5

- name: configure krb5 (IPA master)
  template: src=krb5.conf.master.j2 dest=/etc/krb5.conf owner=root group=root mode=0644
  when: inventory_hostname.startswith('ipa')
  tags:
  - base
  - config
  - krb5

- name: Setup host keytab
  import_tasks: keytab.yml

# SSSD-KCM has been showing way too many bugs with it saying "I have a ticket" while the ticket
# is actually expired, and kinit's still not refreshing them and such alike.
# Let's just nuke it for now.
- name: We do NOT use sssd-kcm
  file: path=/etc/krb5.conf.d/kcm_default_ccache state=absent
  tags:
  - base
  - config
  - krb5
